Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Secure SDLC: The Good, The Bad, and The Ugly Joey Peloquin Director, Application Security FishNet Security [email_address] 214.909.0763 11.13.2009
  2. 2. Agenda <ul><li>Secure Development Programs </li></ul><ul><ul><li>The Good, The Bad, and The Ugly </li></ul></ul><ul><li>QSA Perspectives </li></ul><ul><ul><li>Application Security in a PCI World </li></ul></ul><ul><li>Secure SDLC </li></ul><ul><ul><li>The Essential Elements & Where to Start </li></ul></ul><ul><li>Post-Mortem </li></ul><ul><ul><li>A Flawed “AppSec” Program Made Right </li></ul></ul><ul><li>Q & A </li></ul>
  3. 3. Secure Development Programs
  4. 4.
  5. 5. <ul><li>Top -> Down Support </li></ul><ul><li>Clearly Defined Processes </li></ul><ul><li>Focus on Training and Education </li></ul><ul><li>Security is a Function of Quality Management </li></ul><ul><li>Properly Leveraging Technology </li></ul><ul><li>Third-party Partnerships </li></ul><ul><li>Go – No-Go Authority </li></ul><ul><li>Working Smarter , Not Harder </li></ul>
  6. 6.
  7. 7. <ul><li>Insufficient Support from Management </li></ul><ul><li>Reactive Security Posture </li></ul><ul><li>Check-in-the-box Mentality </li></ul><ul><li>Insufficient Vulnerability Management </li></ul><ul><li>No Developer Training </li></ul><ul><li>Lack of Application Security Awareness </li></ul><ul><li>Insufficient Standardization </li></ul><ul><li>Development Silos </li></ul>
  8. 8.
  9. 9. <ul><li>Complete Lack of Management Support </li></ul><ul><li>Devoid of Security Awareness </li></ul><ul><li>“ Wow, there’s organizations devoted to Application Security that offer free information, tools, and standards?” </li></ul><ul><li>Complete Lack of Vulnerability Management </li></ul><ul><li>Little Standardization </li></ul><ul><li>No Quality Management </li></ul><ul><li>Pattern of Denial </li></ul>
  10. 10. QSA Perspectives
  11. 11. QSA Perspectives <ul><li>“ I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system. We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.” </li></ul><ul><li>- Rep. Bennie Thompson </li></ul>
  12. 12. Elements of a PCI Compliant Program <ul><li>Security Throughout the Lifecycle </li></ul><ul><ul><li>Requirements, checkpoints, accreditation, testing </li></ul></ul><ul><li>Well-documented and Maintained SDLC </li></ul><ul><ul><li>I’m from Missouri… </li></ul></ul><ul><li>Knowledgeable Developers </li></ul><ul><ul><li>Coding examples, processes </li></ul></ul><ul><li>Peer Reviews </li></ul><ul><ul><li>Someone other than the dev; examine comments </li></ul></ul>
  13. 13. Um, sorry, that is not compliant… <ul><li>Homegrown Encryption </li></ul><ul><ul><li>Publically available, commercial/open source </li></ul></ul><ul><li>Code Reviews </li></ul><ul><ul><li>No, you can’t review your own… </li></ul></ul><ul><li>Look at the Pretty WAF! </li></ul><ul><ul><li>Yes, it has to actually be configured to block, /sigh </li></ul></ul><ul><li>“ We have a WAF, so we don’t need to fix our code.” </li></ul><ul><li>“ Our IPS can totally block SQLi and XSS!” </li></ul>
  14. 14. Section 6.6 Compliance <ul><li>WAF </li></ul><ul><ul><li>Network diagrams </li></ul></ul><ul><ul><li>Configuration </li></ul></ul><ul><ul><li>Logging </li></ul></ul><ul><li>Code Reviews </li></ul><ul><ul><li>Documented policy, process, methodologies </li></ul></ul><ul><ul><li>Reports </li></ul></ul><ul><ul><li>Internal or third-party? </li></ul></ul><ul><ul><li>Tester’s role </li></ul></ul><ul><ul><li>Tester’s credentials </li></ul></ul>
  15. 15. Secure SDLC
  16. 16. Essential Elements <ul><li>Executive Champion </li></ul><ul><li>Mid-level Support </li></ul><ul><li>Support of The Business </li></ul><ul><li>People </li></ul><ul><li>Process </li></ul><ul><li>Technology </li></ul><ul><li>… and unfortunately; </li></ul><ul><ul><li>Time & Money help a great deal. </li></ul></ul>
  17. 17.
  18. 18. Where to Start? <ul><li>Assess your current maturity level </li></ul><ul><li>Identify Business and Security Objectives </li></ul><ul><li>Plan your work and work your plan! </li></ul><ul><li>Document your approach </li></ul><ul><ul><li>Who, what, when, where, how? </li></ul></ul><ul><li>Dr. McGraw’s Touchpoints: </li></ul><ul><ul><li>Code Reviews (Static Analysis) </li></ul></ul><ul><ul><li>Risk Analysis (Threat Modeling) </li></ul></ul><ul><ul><li>Skills Assessment and Training </li></ul></ul><ul><ul><li>Penetration Testing (Dynamic Analysis) </li></ul></ul>
  19. 19. Application Security Scale of Maturity Sustained Maturity Centralized People, Processes and Technology Application security integrated seamlessly into quality lifecycle, becoming third pillar Application security team has Enterprise influence Security addressed throughout SDLC and applied retroactively to legacy applications Security Fitness Security baked into SDLC, discussed during design phase Security checkpoints defined and enforced Centralized, reusable resources for developers Centralized testing and remediation tracking Development mentors identified and trained Proactive Security Champion and stake-holders identified Policies, standards & processes established Tools evaluated and purchased Automated and manual internal testing Developer training and awareness Reactive Security Standards-based internal processes lead to a basic level of awareness Some manual testing, looking into automation Recognize need for application security, but don’t know where to start Security Unaware No documented Application Security practices No internal testing, merely annual penetration test No application security awareness or developer training <ul><ul><li>Increasing Maturity </li></ul></ul><ul><ul><li>Decreasing Overall Development Cost </li></ul></ul>
  20. 20. Post-Mortem: A Flawed Attempt at Building Security In…
  21. 21. Mistakes / Issues (Opportunities?!) <ul><li>Lost executive champion </li></ul><ul><li>Lack of mid-level support </li></ul><ul><li>Staff Reorganization </li></ul><ul><li>No business support </li></ul><ul><li>No defined processes </li></ul><ul><li>Not enough expertise </li></ul><ul><li>Development silos </li></ul><ul><li>Shelfware </li></ul>
  22. 22. Putting the Pieces Back Together <ul><li>Educate The Business </li></ul><ul><li>Security Requirements </li></ul><ul><li>Define Standards </li></ul><ul><li>Define Processes </li></ul><ul><li>Development Mentors </li></ul><ul><li>HP AMP – SaaS </li></ul><ul><li>Offensive Security </li></ul><ul><ul><li>License to Pen-test </li></ul></ul>